In immediate response to the outcome of the recent referendum in the United Kingdom (UK) to leave the European Union (EU), the UK’s data protection regulator, the Information Commissioner’s Office (ICO) released the following statement confirming the UK’s current and future position:
“The Data Protection Act remains the law of the land irrespective of the referendum result. If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ - in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”
Despite the UK’s vote to leave the EU on June 24, 2016 (commonly referred to as Brexit), the EU General Data Protection Regulation (GDPR), which comes into force directly across the EU on May 25, 2018, remains relevant to the UK for a number of reasons set out below.
In order to leave the EU, a formal process must be followed commencing with the activation of Article 50 of the 2009 Lisbon Treaty. Once this has occurred, the UK and the remaining member states of the EU must negotiate the UK’s exit. These negotiations are required to be completed within two years (unless extended by the agreement of the European Council and the UK). As the GDPR will come into force on May 25, 2018, this means that, in all probability, the UK will still be a member of the EU when the GDPR comes into force and, as such and by virtue of the European Communities Act of 1972, the GDPR will apply directly into UK domestic law on May 25, 2018.
If the UK does indeed leave the EU and the UK subsequently elects not to retain the GDPR (whether in whole or in part), as the ICO has stated: “The UK will continue to need clear and effective data protection laws, whether or not the country remains part of the EU.” It seems unlikely that the UK will then embark upon a wholescale redrafting of its data protection legislation given the fact that it already has, in the GDPR, an instrument which is fit for purpose, as well as one in which it played a major role in negotiating and which, if followed, would align the UK’s legal position on data protection with that of its European neighbours, opening the door to a finding that the UK, notwithstanding that it was not a member of the EU, was a territory which provided an adequate level of protection under Article 45 of the GDPR.
Impact of the GDPR on the UK now
Data protection across the EU and European Economic Area (EEA) is regulated by national laws implementing EU Directive 95/46/EC (the Directive), which in the UK is currently (and until the coming into force of the GDPR on May 25, 2018) the Data Protection Act 1998 (DPA). As the UK will almost certainly still be a member of the EU on May 25, 2018, on this date the GDPR will immediately supersede the DPA and apply to the UK until such a time as it formally leaves the EU, following the activation of Article 50 of the 2009 Lisbon Treaty.
The timetable for a Brexit (and, for that matter, whether there will be a Brexit) is, at the time of writing, uncertain. The real impact of the GDPR in the UK depends on how any exit negotiations between the UK and EU develop; the GDPR may be in force in the UK for as little as a few weeks, a few months, or potentially a few years. After the point at which the UK is no longer a member of the EU and the GDPR and all other EU laws are no longer directly applicable to the UK, the GDPR will need to be replaced by a new UK domestic law. For the reasons noted above, it is difficult to see how this would be anything other than significantly similar to the GDPR.
Reform going forward
Between now and the date of any Brexit, Her Majesty’s Parliament faces various options for how to deal with EU legislation, including the GDPR. In the future, for example, the Parliament could keep the DPA in its existing form or revise it, introduce new UK legislation in broadly similar terms to the GDPR or depart from the EU’s approach to data protection entirely.
The UK’s Information Commissioner, Christopher Graham has stressed that these reforms to the existing data protection regime (as contained in the DPA) would need to continue despite the UK’s exit:
“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”
UK’s post-Brexit options
The UK has a number of options when it comes to a post-Brexit future. Depending on which one was chosen, the impact on the UK’s data protection regime would vary. For instance:
The UK could elect to join the European Free Trade Association and remain part of the European Economic Area (EEA). In this case, the four freedoms (the free movement of goods, services, persons and capital) as well as competition and state aid rules laid down in the Treaty on the Functioning of the European Union are incorporated into the EEA Agreement, which would then apply to the UK. Opposition to this approach aside, electing this option would oblige the UK under the EEA Agreement with the EU to pass a new law effectively implementing the GDPR in the UK. In such a case, any Brexit would not have much of an impact on the upcoming data protection regime.
The UK could try to negotiate a relationship with the EU along the lines of the Swiss model. This would be similar to the EEA model, except there would be limited free movement of services, which would mean fewer compliance obligations with EU legislation. In its place, a long list of detailed trade agreements between the EU and UK would need to be drawn up.
If the UK elected not to adopt any form of free trade agreement, the World Trade Organisation would govern UK trade with the EU without the need for negotiation. Under this arrangement, there would be limited free movement of services between the EU and UK, and no free movement of EU nationals into the UK or vice versa. In terms of legislation, this would mean that the upcoming GDPR would have no direct effect on the UK and the UK would be free to revise its data protection framework and deviate from EU standards as it saw fit. The obvious issue which arises here is whether the UK would be classified by the European Commission as a ‘safe third country’, to permit EU personal data to be transmitted to the UK (which would be neither an EU nor an EEA country). If the UK was not regarded as providing an adequate level of protection, data transfers to the UK would be subject to stricter requirements, similar to that which currently apply in relation to the USA and other jurisdictions which do not have a finding of adequacy.
Despite the uncertainty around a Brexit, reforms to the UK data protection legislation are coming in one form or another. The current uncertainties surrounding these reforms should become clearer once the EU exit negotiations start, which is most likely to be in the Autumn this year when a new Prime Minister is anticipated to be in place.
Regardless of what happens in any Brexit negotiations, if the UK still wishes to trade at anything close to the current levels with the EU it will need to implement a data protection regime which ensures an ‘adequate’ level of data protection controls and safeguards.
Ultimately, economic and commercial motivations will determine the extent to which the UK will have to mirror EU legislation. In practical terms, companies should not, therefore, be deterred from implementing data protection reforms in light of the upcoming GDPR.